package authclient

import (
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/go-chi/chi/v5"

	"git.threesix.ai/jordan/sp4-debug-1770477266/pkg/auth"
	"git.threesix.ai/jordan/sp4-debug-1770477266/pkg/httpclient"
	"git.threesix.ai/jordan/sp4-debug-1770477266/pkg/logging"
)

func newMockAuthServer(t *testing.T) *httptest.Server {
	t.Helper()
	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		authHeader := r.Header.Get("Authorization")
		if authHeader == "Bearer valid-token" {
			w.Header().Set("Content-Type", "application/json")
			json.NewEncoder(w).Encode(ValidateResponse{
				Data: ValidateData{
					UserID: "user-123",
					Email:  "test@example.com",
				},
			})
			return
		}
		w.WriteHeader(http.StatusUnauthorized)
		json.NewEncoder(w).Encode(map[string]any{"error": "invalid token"})
	}))
}

func TestMiddleware_ValidToken(t *testing.T) {
	server := newMockAuthServer(t)
	defer server.Close()

	client := &Client{
		baseURL:    server.URL,
		httpClient: httpclient.New(httpclient.Config{MaxRetries: 1}),
		logger:     logging.Nop(),
	}

	var capturedUserID string
	r := chi.NewRouter()
	r.Use(Middleware(client))
	r.Get("/test", func(w http.ResponseWriter, r *http.Request) {
		user := auth.GetUser(r.Context())
		if user != nil {
			capturedUserID = user.ID
		}
		w.WriteHeader(http.StatusOK)
	})

	req := httptest.NewRequest(http.MethodGet, "/test", nil)
	req.Header.Set("Authorization", "Bearer valid-token")
	w := httptest.NewRecorder()
	r.ServeHTTP(w, req)

	if w.Code != http.StatusOK {
		t.Errorf("expected status 200, got %d: %s", w.Code, w.Body.String())
	}
	if capturedUserID != "user-123" {
		t.Errorf("expected user ID 'user-123', got '%s'", capturedUserID)
	}
}

func TestMiddleware_MissingToken(t *testing.T) {
	server := newMockAuthServer(t)
	defer server.Close()

	client := &Client{
		baseURL:    server.URL,
		httpClient: httpclient.New(httpclient.Config{MaxRetries: 1}),
		logger:     logging.Nop(),
	}

	r := chi.NewRouter()
	r.Use(Middleware(client))
	r.Get("/test", func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
	})

	req := httptest.NewRequest(http.MethodGet, "/test", nil)
	w := httptest.NewRecorder()
	r.ServeHTTP(w, req)

	if w.Code != http.StatusUnauthorized {
		t.Errorf("expected status 401, got %d", w.Code)
	}
}

func TestMiddleware_InvalidToken(t *testing.T) {
	server := newMockAuthServer(t)
	defer server.Close()

	client := &Client{
		baseURL:    server.URL,
		httpClient: httpclient.New(httpclient.Config{MaxRetries: 1}),
		logger:     logging.Nop(),
	}

	r := chi.NewRouter()
	r.Use(Middleware(client))
	r.Get("/test", func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
	})

	req := httptest.NewRequest(http.MethodGet, "/test", nil)
	req.Header.Set("Authorization", "Bearer invalid-token")
	w := httptest.NewRecorder()
	r.ServeHTTP(w, req)

	if w.Code != http.StatusUnauthorized {
		t.Errorf("expected status 401, got %d", w.Code)
	}
}